Security
I cover crime, privacy and security in digital and physical forms.

The FUZE Card lets users store as many as 30 credit cards on one piece of plastic. But its claim to be secure might be giving users a false sense of security, a researcher claims.Forbes

Secure, affordable and convenient. That's how the makers of the Fuze Card describe their creation, designed to act as a whole wallet in a single thin device. It can store up to 30 credit cards and uses a lock to protect the data within. Such a hit was it with consumers it raised nearly $2.5 million in Indiegogo funding, with the original cost starting at $160.

But the claim that the card is secure might need reconsideration, after security researcher Mike Ryan told Forbes he came up with code that can easily bypass the Fuze Card's lock to steal credit card data, as long as the hacker has access to the device. Ryan said he reported the vulnerability to BrilliantTS, the manufacturer behind Fuze, but the company had not yet released a fix at the time of publication. He published a video and a blog describing the attack.

Ryan said his hack, consisting of just a small number of Linux commands, was "extremely simple" and claimed it could be incorporated into a basic smartphone app. "All the bad guy needs is physical access to the card (e.g., a waiter at a restaurant). They pair with the card and can steal up to 30 credit card numbers from it," he told Forbes. It's not just numbers that could be pilfered; Ryan said expiration dates and CVV numbers were open to theft too.

The attack relied on the fact the Fuze Card allowed anyone with physical access to pair with it and didn't carry out additional authentication checks, thereby trusting anyone. "To exploit this, I wrote some Linux code that emulates the smartphone app performing legitimate actions, such as unlocking the screen and downloading credit card data. The card is unable to distinguish between my malicious attack tools and a legitimate smartphone app, so from its perspective everything is normal and it will unlock the screen and send the card data," Ryan added.

"Some 'payments' companies like BrilliantTS are not taking protecting their customers' data seriously enough since they had no way for me to report a security bug, and the tech support person I eventually reached didn't seem to fully understand it... I think they're providing a false sense of security."

FUZE responds

There appeared to be some confusion on the BrilliantTS side. Daniel Kim, Fuze Card vice president, told Forbes the company had been first contacted about the particular security issue back in January by researcher Mykel Pritchard from Australian company Elttam. The firm believed Ryan and Pritchard had researched the issue together and so only responded to the latter, leaving Ryan out of the look, Kim said.

Most importantly, Kim said the company had developed a patch, which would be rolled out in the coming weeks. No specific date has yet been given for that fix.

UPDATE After publication, Fuze confirmed a fix was coming April 19. Ryan also praised Fuze Card for creating an email address, security@fuzecard.com, for reporting vulnerabilities.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist o...